Re: performance vs. security (was Cisco PIX ...)

[borkin () netquest com ((NetQuest) Borkin, Michael)]

Ryan Russell wrote:

> [performance reasons snipped]
>
> If I may also make a sweeping statement:
>
> Performance isn't relevant to security applications.  I.e. you
> can't say "it will hurt performance, so we'll leave out some
> security."  If that were a consideration, we wouldn't use firewalls.
> Realistically, that means that if it's too slow we buy bigger
> boxes or suffer along at a slower pace.

Ryan,

  I couldn't disagree more firmly with your sweeping statement (although
your explanation is close to what I will say, only from the other side of
the argument).  The level of security in a system has to be balanced with
the performance level you need to operate.  You want ultimate security,
keep the computer locked in a vault and never turn it on.  Anything less is
a compromise for performance.  The biggest key is deciding which security
measures are truly needed and whether their performance costs are worth
it.  You use firewalls as an example of why performance isn't a
consideration, I turn it back to you.  Is remote access to network (whether
dial-in or internet) an important enough application that it is worth the
security costs?  Obviously, since this is a discussion list about
firewalls, the general consensus is yes.  I use these examples b/c  people
will not argue about whether or not these things are a good idea, but
whether they are even truly relevant (they probably aren't).  I use them
only to illustrate that the basic premise of your sweeping statement is
false.

  Security needs to be a balancing act between pre-cautions against
possible hazards and the ability of the users to make proper use of the
system.  Ease of use is of course the whole point of using computers in a
networked environment in the first place.  If it wasn't then everything
would still be done on standalones b/c the only security that you need to
worry about is physical security.  Therefore the debate has to begin at
what are the reasonable security threats that must be guarded against no
matter what it does to system performance.  An example that I think we
would all agree on is virus protection.  This is such a critical security
measure that it must happen in all circumstances.  But, what about other
security applications that aren't as critical?  Its easy to sit back and
just say "security above all else."  But is security against some
speculated possible threat by someone who is malicious, knowledgeable, and
has the right tools worth slowing your network to a crawl?  In some cases
it may be, but not in all.  This is the balancing act that I am referring
to.

  IMHO, each situation needs to be considered on a case by case basis.  If
a security application creates a performance hit that makes your network
hard to work with, is the added security worth the costs for the
organization?  Lesser performance directly translates into lost
productivity and employee frustration.  Its easy to say, "just buy new
computers."  But, obviously, there are cost factors involved in that.  Are
these costs worth the added security?  If the application adds a level of
security that is important enough, then the costs are.  But, not all
security is worth these costs, and therefore performance does matter.

Mike Borkin

-----------------------------------------------------------------------------------------

Anything written above this line is to be taken as the personal opinion of
the person who wrote it and should not be taken as the opinion or thoughts
of any affiliated organization, family members, friends or acquaintances.
In fact, nobody who has ever met him agrees with a damn thing he has said,
I know, I've taken a poll.  So don't go blaming us for the fact that he's a
crackpot.  We got nothing to do with it.